Download Games and the Impossibility of Realizable Ideal Functionality

CS 155
Unwanted Traffic:
Denial of Service Attacks
Dan Boneh
1
What is network DoS?
Goal: take out a large site with little computing work
How: Amplification
 Small number of packets ⇒
big effect
Two types of amplification attacks:
 DoS bug:
 Design flaw allowing one machine to disrupt a
service
 DoS flood:
 Command bot-net to generate flood of requests
2
DoS can happen at any layer
This lecture:


Sample Dos at different layers (by order):
 Link
 TCP/UDP
 Application
DoS mitigations
Sad truth:
 Current Internet not designed to handle DDoS attacks
3
Warm up:
802.11b
Radio jamming attacks:
Protocol DoS bugs:


DoS bugs
trivial, not our focus.
[Bellardo, Savage, ’03]
NAV (Network Allocation Vector):
 15-bit field. Max value: 32767
 Any node can reserve channel for NAV seconds
 No one else should transmit during NAV period
… but not followed by most 802.11b cards
De-authentication bug:
 Any node can send deauth packet to AP
 Deauth packet unauthenticated
⇒ attacker can repeatedly deauth anyone
4
Smurf amplification DoS attack
1 ICMP Echo Req
Src: Dos Target
Dest: brdct addr
DoS
Source
3 ICMP Echo Reply
Dest: Dos Target
gateway
DoS
Target
Send ping request to broadcast addr (ICMP Echo Req)
Lots of responses:

Every host on target network generates a ping
reply (ICMP Echo Reply) to victim
Prevention: reject external packets to broadcast address
5
Modern day example
DNS Amplification attack:
( ×50 amplification )
DNS Query
SrcIP: Dos Target
(60 bytes)
DoS
Source
(Mar ’13)
EDNS Reponse
(3000 bytes)
DNS
Server
DoS
Target
2006: 0.58M open resolvers on Internet (Kaminsky-Shiffman)
2017: 15M open resolvers (openresolverproject.org)
⇒ 3/2013: DDoS attack generating 309 Gbps for 28 mins.
6
Feb. 2014: 400 Gbps via NTP amplification (4500 NTP servers)
7
Review: IP Header format
0
Connectionless
 Unreliable
 Best effort
31
Version
Flags
Header Length
Type of Service
Total Length
Identification
Fragment Offset
Time to Live
Protocol
Header Checksum
Source Address of Originating Host
Destination Address of Target Host
Options
Padding
IP Data
8
Review: TCP Header format
TCP:
 Session based
 Congestion control
 In order delivery
0
31
Source Port
Dest port
SEQ Number
ACK Number
U A P P S F
R C S S Y I
G K H R N N
Other stuff
9
Review: TCP Handshake
C
S
SN ⟵randC
SYN: ANC ⟵0
C
SNS⟵randS
SYN/ACK: AN ⟵SN
S
C
SN⟵SNC
ACK: AN⟵SN
S
Listening
Store SNC , SNS
Wait
Established
10
TCP SYN Flood I: low rate
C
S
(DoS bug)
Single machine:
SYNC2
• SYN Packets with
random source IP
addresses
SYNC3
• Fills up backlog queue
on server
SYNC1
SYNC4
SYNC5
• No further connections
possible
11
SYN Floods
(phrack 48, no 13, 1996)
OS
Linux 1.2.x
FreeBSD 2.1.5
WinNT 4.0
Backlog timeout:
Backlog
queue size
10
128
6
3 minutes
• Attacker needs only 128 SYN packets every 3 minutes
• Low rate SYN flood
12
Low rate SYN flood defenses
The problem:
 server commits resources (memory)
before client responds
Non-solution:
 Increase backlog queue size or decrease timeout
Correct solution (when under attack) :
 Syncookies: remove state from server

Small performance overhead
14
Syncookies
[Bernstein, Schenk]
Idea: use secret key and data in packet to gen. server SN
Server responds to Client with SYN-ACK cookie:
 T = 5-bit counter incremented every 64 secs.

L = MACkey (SAddr, SPort, DAddr, DPort, SNC, T)
[24 bits]
 key: picked at random during boot


SNS = (T . mss . L)
( |L| = 24 bits )
Server does not save state (other TCP options are lost)
Honest client responds with ACK ( AN=SNS , SN=SNC+1 )
 Server allocates space for socket only if valid SNS
15
SYN floods: backscatter
[MVS’01]
SYN with forged source IP  SYN/ACK to random host
16
Backscatter measurement
Listen to unused IP addresss space (darknet)
/8 network
monitor
0
232
Lonely SYN/ACK packet likely to be result of SYN attack
2001:
2013:

400 SYN attacks/week
773 SYN attacks/24 hours
(arbor networks ATLAS)
Larger experiments: (monitor many ISP darknets)
 Arbor networks
17
Estonia attack
(ATLAS ‘07)
Attack types detected:
 115 ICMP floods,
4 TCP SYN floods
Bandwidth:
 12 attacks:
70-95 Mbps for over 10 hours
All attack traffic was coming from outside Estonia
 Estonia’s solution:
 Estonian ISPs blocked all foreign traffic until
attacks stopped
⇒ DoS attack had little impact inside Estonia
18
Massive floods
(e.g. Mirai 9/2016 on Krebs)
Command bot army to flood specific target: (DDoS)
• Flood with SYN, ACK, UDP, and GRE packets
• 623 Gbps (peak) from ≈100K compromised IoT devices
• At web site:
•
•
Saturates network uplink or network router
Random source IP ⇒
attack SYNs look the same as real SYNs
• What to do ???
19
src: incapsula.com
20
Google project shield
Protecting news organizations.
(Commercial service: Akamai, Cloudlare, … )
Idea: only forward established TCP connections to site
Lots-of-SYNs
Lots-of-SYN/ACKs
Few ACKs
Project
Shield
Proxy
Forward
to site
Web
site
21
Stronger attacks: GET flood
Command bot army to:



Complete TCP connection to web site
Send short HTTP GET request
Repeat
Will bypass SYN flood protection proxy
… but:
 Attacker can no longer use random source IPs.
 Reveals location of bot zombies

Proxy can now block or rate-limit bots.
23
A real-world example: GitHub
popular
server
Javascript-based DDoS:
honest
end user
github.com
(3/2015)
inject
imageFlood.js
imageFlood.js
function imgflood() {
var TARGET = 'victim-website.com/index.php?’
var rand = Math.floor(Math.random() * 1000)
var pic = new Image()
pic.src = 'http://'+TARGET+rand+'=val'
}
setInterval(imgflood, 10)
Would HTTPS
prevent this DDoS?
24
DNS DoS Attacks
(e.g. Dyn attack 10/2016)
DNS runs on UDP port 53
• DNS entry for victim.com hosted at DNSProvider.com
DDoS attack:
• flood DNSProvider.com with DNS queries
• Random source IP address in UDP packets
• Takes out entire DNS server (collateral damage)
Dyn attack: used some Mirai-based bots
• At least 100,000 malicious end points
⇒ Dyn cannot answer many legit DNS queries
⇒ Disrupted service at Netflix, Github, Twitter, …
25
DoS via route hijacking
YouTube is 208.65.152.0/22 (includes 210 IP addr)
youtube.com is 208.65.153.238, …
Feb. 2008:
 Pakistan telecom advertised a BGP path for
208.65.153.0/24
(includes 28 IP addr)
 Routing decisions use most specific prefix
 The entire Internet now thinks
208.65.153.238
is in Pakistan
Outage resolved within two hours
… but demonstrates huge DoS vuln. with no solution!
26
DoS Mitigation
28
1. Client puzzles
Idea: slow down attacker
Moderately hard problem:
 Given challenge C find X such that
n
LSBn ( SHA-1( C || X ) ) = 0



Assumption: takes expected 2n time to solve
For n=16 takes about .3sec on 1GhZ machine
Main point: checking puzzle solution is easy.
During DoS attack:
 Everyone must submit puzzle solution with requests
 When no attack: do not require puzzle solution
29
Examples
GET floods (RSA ‘99)
 Example challenge:
C = TCP server-seq-num
 First data packet must contain puzzle solution
 Otherwise TCP connection is closed
SSL handshake DoS: (SD’03)
 Challenge C based on TLS session ID
 Server: check puzzle solution before RSA decrypt.
30
Benefits and limitations
Hardness of challenge: n
 Decided based on DoS attack volume.
Limitations:


Requires changes to both clients and servers
Hurts low power legitimate clients during attack:
 Clients on cell phones and tablets cannot connect
31
Memory-bound functions
CPU power ratio:
 high end server / low-end IoT device = 8000
⇒ Impossible to scale to hard puzzles
Interesting observation:
 Main memory access time ratio:
 high end server / low-end IoT device = 2
Better puzzles:
 Solution requires many main memory accesses
 Dwork-Goldberg-Naor, Crypto ‘03
 Abadi-Burrows-Manasse-Wobber, ACM ToIT ‘05
32
2. CAPTCHAs
Idea: verify that connection is from a human
Applies to application layer DDoS [Killbots ’05]
 During attack: generate CAPTCHAs and process
request only if valid solution
 Present one CAPTCHA per source IP address.
33
3. Source identification
Goal: identify packet source
Ultimate goal:
block attack at the source
34
1. Ingress filtering
Big problem:
(RFC 2827, 3704)
DDoS with spoofed source IPs
ISP
Internet
Ingress filtering policy: ISP only forwards packets
with legitimate source IP
(see also SAVE protocol)
35
Implementation problems
ALL ISPs must do this.
Requires global trust.
 If 10% of ISPs do not implement ⇒
no defense
 No incentive for deployment
2017:
 33% of Auto. Systems are fully spoofable
(spoofer.caida.org)
 23% of announced IP address space is spoofable
Recall: 309 Gbps attack used only 3 networks (3/2013)
2. Traceback
[Savage et al. ’00]
Goal:
 Given set of attack packets
 Determine path to source
How: change routers to record info in packets
Assumptions:
 Most routers remain uncompromised
 Attacker sends many packets
 Route from attacker to victim remains relatively
stable
37
Simple method
Write path into network packet
 Each router adds its own IP address to packet
 Victim reads path from packet
Problem:
 Requires space in packet
 Path can be long
 No extra fields in current IP format

Changes to packet format too much to expect
38
Better idea
DDoS involves many
packets on same path
A1
Store one link in each
packet


Each router
probabilistically stores
own address
Fixed space regardless
of path length
A2
R6
A3
R7
A4
A5
R8
R9
R10
R12
V
39
Edge Sampling
Data fields written to packet:
 Edge: start and end IP addresses
 Distance: number of hops since edge stored
Marking procedure for router R
if coin turns up heads (with probability p) then
write R into start address
write 0 into distance field
else
if distance == 0 write R into end field
increment distance field
40
Edge Sampling: picture
Packet received
 R receives packet from source or another router
1
 Packet contains space for start, end, distance
packet
R1
s
e d
R2
R3
41
Edge Sampling: picture
Begin writing edge
 R chooses to write start of edge
1
 Sets distance to 0
packet
R1
R1
0
R2
R3
42
Edge Sampling
Finish writing edge
 R chooses not to overwrite edge
2
 Distance is 0
 Write end of edge, increment distance to 1
packet
R1
R1 R2 1
R2
R3
43
Edge Sampling
Increment distance
 R chooses not to overwrite edge
3
 Distance >0
 Increment distance to 2
packet
R1
R2
R1 R2 2
R3
44
Path reconstruction
Extract information from attack packets
Build graph rooted at victim
 Each (start,end,distance) tuple provides an edge
# packets needed to reconstruct path
ln(d)
p(1-p)d-1
where p is marking probability, d is length of path
E(X) <
45
Problem: Reflector attacks
[Paxson ’01]
Reflector:
 A network component that responds to packets
 Response sent to victim
(spoofed source IP)
Examples:



DNS Resolvers: UDP 53 with victim.com source
 At victim: DNS response
Web servers: TCP SYN 80 with victim.com source
 At victim: TCP SYN ACK packet
NTP servers
48
DoS Attack
Single Master
Many bots to
generate flood
Zillions of reflectors to
hide bots
 Kills traceback and
pushback methods
49
Capability based defense
50
Capability based defense
Anderson, Roscoe, Wetherall.
 Preventing internet denial-of-service with
capabilities.
SIGCOMM ‘04.
Yaar, Perrig, and Song.
 Siff: A stateless internet flow filter to mitigate DDoS
flooding attacks. IEEE S&P ’04.
Yang, Wetherall, Anderson.
 A DoS-limiting network architecture.
SIGCOMM ’05
51
Capability based defense
Basic idea:
 Receivers can specify what packets they want
How:
 Sender requests capability in SYN packet
 Path identifier used to limit # reqs from one source
 Receiver responds with capability
 Sender includes capability in all future packets

Main point: Routers only forward:
 Request packets, and
 Packets with valid capability
52
Capability based defense
Capabilities can be revoked if source is attacking
 Blocks attack packets close to source
R1
Source AS
R2
R3
Transit AS
R4
dest
Dest AS
Attack packets
dropped
53
Take home message:
Denial of Service attacks are real:
Must be considered at design time
Sad truth:
 Internet is ill-equipped to handle DDoS attacks
 Many commercial solutions: CloudFlare, Akamai, …
Many proposals for core redesign
59
THE END
60